We know how rewarding it is to run your own business — as long as you avoid the boring stuff, of course! GDPR is almost certainly one of the duller parts of running your own business, but unfortunately you can’t ignore it, just like you can’t ignore paying tax or following legislation.
The aim of this handbook is to help you and your company by offering practical guidance about what you need to do to comply with GDPR. Look at this guide as a way of kickstarting your company’s journey towards GDPR compliance.
All businesses need to comply with GDPR, the new EU General Data Protection Regulation that replaced the Swedish Personal Data Act (PUL) in May 2018. GDPR legislation applies to all EU member states, and a breach of GDPR can result in consequences ranging from a reprimand that requires action to a fine of up to 4% of your company’s turnover.
Absolutely — you just need to have the right legal basis to for processing the personal data. In this guide, we examine precisely what these legal grounds are.
The underlying aim of GDPR is very positive—you’ve probably seen reports of personal data being used to influence elections, for example. GDPR exists to protect individuals’ fundamental rights and freedoms, and is intended to prevent the misuse of information without incurring serious consequences.
It’s unlikely that you’ll comply 100% with GDPR for a number of reasons—but what’s important is that you try your best! This guide ensures that your company will do much more to comply with GDPR than most, which is good for you and shows your customers that you take their personal integrity seriously.
Personal data is any information that can be used to identify a natural, living person, directly or indirectly alongside other information. You don’t need to be a rocket scientist to work out that a great deal of information is now classified as personal data, including your name, email address, IP address and much more.
GDPR requires you to provide information about how you process personal data. This is achieved by your integrity policy and other measures. Konsento allows you to create and upload your integrity policy to your website, which can then simply be updated—without needing to involve IT professionals.
In order to determine how you process personal data you first need to create an inventory and a register of the personal data you process. We help you by providing concrete examples and a template that you can use to create your own register.
This register needs to be digital and you must be able to show this to the authorities on request.
You’re also responsible for ensuring that your sub-processors (think customer relationship management (CRM) systems etc.) comply with GDPR, which means that you need to produce a Data Processing Addendum. We provide you with complete texts that you can use to obtain the right information from your sub-processors.
You’ve probably seen the consent boxes that you’re required to tick on many websites. These are used to obtain your consent to processing your personal data. But did you know that GDPR specifically bans pre-ticked opt-in boxes?
If you use consent as the legal basis for processing personal data, you need to be able to show when the consent was given, and what information you provided to the individual giving their consent. Does your website do this at the moment?
Konsento provides you with an advanced consent management system and suggestions about how to minimise the number of irritating pop-ups on your website.
GDPR provides all EU citizens with additional rights that we’ll be covering in more detail in this guide. A key feature is that individuals can exercise their rights, and that you have one calendar month to respond.
The Personal Data Act allowed you to levy a small service charge, but this is no longer possible under GDPR unless an individual makes multiple requests for the same information. So how will you keep track of these requests so that you know if you can charge a fee or not?
Konsento provides you with an easy-to-use form that individuals can use to enter their information and exercise their rights. You also get an accessible case management system that allows you to keep track of information requests and ensure that no cases fall between the cracks.
This guide is based on information from the Swedish Data Protection Authority’s website and the Information Commissioner's Office website, as well as our own experience of helping companies and organizations get started with GDPR compliance.
All companies process personal data a little differently, which means that following this guide doesn’t necessarily mean 100% compliance with GDPR. If you feel that you need further expert advice in any area, we recommend that you contact an independent legal advisor specializing in GDPR.
Following this guide will clarify specific areas that you might need help with, which means that a legal advisor will be able to help you much more quickly (which probably significantly reduces the cost).
Personal Data:
Personal data is defined as any information relating to an identified or identifiable, directly or indirectly, natural person.
Controller:
The person deciding why and how data is processed
GDPR:
The General Data Protection Regulation.
Processing:
Any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Individual:
A natural, living person.
The first step is to increase awareness of GDPR in your company, particularly on the Board of Directors. We recommend that you hold a Board meeting with an agenda item relating to GDPR as soon as possible. Before the meeting, make sure that all Board members have reviewed this easy-to-read document published by the EU.
GDPR agenda item
tip: Naturally, all your staff will contribute to GDPR compliance, but from experience we recommend that you create a small team with responsibility for GDPR. You might want to relieve these individuals of other responsibilities to ensure that you get the momentum of your GDPR compliance going.
It’s important that your company takes personal integrity very seriously and appoints an individual with responsibility for compliance. Some companies will need to appoint a dedicated Data Protection Officer, but even if you don’t do this, it may be helpful to define a professional role and allocate it to a specific member of staff.
Before starting the process of identifying the personal data that your company handles, we’ll start by looking at what constitutes personal data, and what’s required to be authorized to process personal data.
Personal data is defined as any information that can be linked to a natural person. This includes name, address and personal identity number. Photos of individuals are also classified as personal data. Digitally stored sound recordings may also constitute personal data, even if the recording doesn’t include a name. Corporate identity numbers are usually not classified as personal data, although this could be the case if a company is incorporated as a sole trader. Car registration numbers may constitute personal data if they can be linked to a natural person, while company car registration numbers used by multiple individuals probably aren’t personal data.
Some personal data is intrinsically sensitive and is therefore subject to stronger protection. This is defined as sensitive personal data. As a rule, sensitive personal data may not be processed, although there are exceptions. Before you process sensitive personal data, you must determine the legal basis for processing the data.
Källa: Information Commissioners Office
To make it easier for you, we’ve outlined some concrete examples of what constitutes personal data:
Of course you can! The only requirement is that you have the right legal grounds for processing the data.
There are six legal grounds that can be applied.
Consent:
The registered individual has given their consent to the processing of personal data. Please note that in many cases it’s not appropriate or even possible to rely on consent given by the registered individual. This means that we recommend that you examine whether it’s possible to base your personal data processing on one of the other legal grounds.
Contractual necessity:
The registered individual is party to a contract or will become party to a contract with the controller.
Legitimate interests:
The controller is allowed to process personal data without the consent of the data subject if there is a weighed and balanced legitimate interest where processing is needed and the interest is not overridden by others.
Legal obligations:
There are laws or regulations that require the controller to process personal data in their operations.
Public interest
The controller is required to process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Vital interests:
The controller is required to process personal data to protect a data subject that is unable to give their consent, for example if unconscious.
Contact information for individuals approached as part of your sales process:
Legitimate interests
Contact information for customers in your order system:
Contractual necessity
Contact information for employees:
Contractual necessity, legal obligations, legitimate interests
Email addresses collected from contact forms on your website:
Consent
As an employer, you’re required to process personal data relating to your employees, and certain data needs to be collected in order to fulfil the contract between you as employer and your employees. This may include information required to calculate your employees’ salary, but also information relating to entry systems, switchboard and other IT systems.
The company also needs to process personal data relating to employees to comply with legal requirements such as reporting of tax and social security expenses.
If your data processing includes contact information for relatives of your employees, we recommend that your integrity policy includes information about this.
You’ll need to check if your company applies the Personal Data Act exception regarding the processing of unstructured personal data, also known as the abuse rule. This rule no longer applies under GDPR, and you’ll need to apply different legal grounds for processing personal data.
The individual whose personal data is processed, the data subject, has a number of rights under GDPR. In summary, these rights mean that the data subject must be informed of when and how their personal data is processed, and retain control over their personal data. In some cases, these rights include the right to have data corrected, deleted or blocked, or to retrieve or transfer the data. The data subject’s rights have been extended, strengthened and specified under GDPR compared to the Personal Data Act. More information about these rights can be found below:
The right to access:
Individuals have the right to access a copy of the personal data you hold on them.
The right to have information corrected:
Individuals can request to have their data updated or deleted if the data is incorrect.
The right to deletion:
Individuals have the right to request that you delete their personal data. You’re not permitted to delete personal data that you’re required to keep by law.
The right to data portability:
Individuals have the right to transfer their personal data from your IT environment to another location, either with another company or to the individual concerned. This doesn’t apply to information that you’re required to keep by law.
The right to withdraw consent:
Individuals have the right to withdraw consent to sharing their personal data or marketing / email communication at any time.
The right to object: Individuals have the right to make a complaint to the Swedish Data Protection Authority if the processing of their personal data is in breach of GDPR.
Summary
This was quite a dense chapter where we’ve tried to give you an overview of GDPR and provide you with some ideas that we hope will help you in your work. If you feel that you need more information, we suggest that you review the information provided at https:/ico.org.uk
This might be one of the more complex and time-consuming steps in the handbook, and some points that you had probably not previously thought of might arise during this stage.
Simply put, a register is a document containing an inventory of the different kinds of personal data processing your company carries out that you need to be able to present to the authorities on request.
You’re legally obliged to present this document to the relevant supervisory authorities on request. Read more about this on the Information Commissioners Office website. The law states that the register must be kept in digital format.
In the previous chapter, we gave you some examples of different types of personal data that you probably process. Use these examples to start your review of the personal data that your company currently processes. Then collate this personal data in a simple list (information contained in your order systems, contact data in CRM systems, IP addresses in website logs etc.).
Feel free to use our template register download template here.
Tip: You’ll be creating a range of documents, so it might be a good idea to create a GDPR folder and keep this with your other important documents.
For each personal data entry, ask yourself the following questions (feel free to read through this a couple of times).
Ensure that every line / data entry has a single purpose. If you use the same information for different purposes, you can copy the line and update the relevant sections. For example, if you use a person’s email address to send them a newsletter and to deliver goods they’ve purchased, these are two different purposes.
If you get stuck on any section of the template, just skip that part and continue with the next data processing item and purpose.
By now, you should have a reasonably up-to-date list which probably feels pretty good, right? You may even have noticed some things you weren’t aware of before?
However, there’s one more thing you need to do. We started by making a note of the various data that you’re aware that you process. Now, we’d like to ask you to write down all the different systems and applications that you use.
For each system, ask yourself the following:
We also recommend that you carry out a risk assessment. There are many ways to do this, depending on the size of your company. An easy solution would be to arrange a workshop with your IT manager, and produce a list that states
If you use consent as the legal basis for your data processing, it’s important that you obtain the consent correctly under GDPR.
To begin with, GDPR no longer permits checkboxes accompanied by a statement such as “By submitting this form you consent to being contacted about you request including subscription to our newsletter.” Under GDPR you need to present two separate options.
GDPR also prohibits pre-ticked boxes You might think: “But what about all the pre-ticked cookie consent boxes I’ve seen on websites—they seem to be standard? Well, to be on the safe side, you should avoid pre-ticked boxes.
Consent is a very complex subject and we recommend that you study it in more detail on the local authority website, for example https://ico.org.uk, as well as potentially obtaining legal advice if you still feel uncertain.
Many CRM and newsletter services have different ways of achieving this, and you can find out more about it on the relevant websites. However, you may also provide a contact form on your own website, and if so, it’s important to update the text in each field.
It’s also important that you can prove that consent has been obtained.
Most contact forms have three fields: name, email and description.
We suggest that you describe how the information will be used in each field. For example, under name and email you could write: “We use your name and email to contact you as a result of your inquiry.”
Under comments, you could write: “Avoid including personal data in this field.
Tip: Konsento makes it easy to collect consent using hosted consent forms or via an integration with your own applications.
Transparency and information are fundamental principles of GDPR, and also central rights of individuals. This means that you need to describe how you process personal data and why you do this simply and clearly. This information needs to be easily accessible (preferably on the company’s website and in your email signature).
Konsento provides you with a template that you can base your integrity policy on. This can then be easily uploaded to your website and added to your email signature.
An integrity policy must include:
Because all companies process personal data differently, the integrity policy may need to be amended on the basis of the inventory you created in the previous chapter. If so, we suggest you do one of the following:
Action: Have you created an integrity policy for external and internal use?
We believe that a separate chapter is needed for this, as there’s quite a lot you need to do and some of it is a bit technical.
Ensure that this is provided on your website, particularly on pages where you collect personal data. By using our integrity policy template, you can create a large proportion of your integrity policy with a single mouse click.
Konsento allows you to create and add your integrity policy to your website. It’s then easy to update it without having to involve IT staff.
Make sure your online forms have been adapted to comply with the more stringent consent requirements and that your integrity policy can be found close to these forms.
Let’s use the example of a contact form, which many companies include on their website. These often have a subject field, a text box and fields for entering name and email address.
Under the previous Personal Data Act, it was sufficient to provide a tiny checkbox next to a text stating that “you approve the processing of your data under PUL.” Under GDPR, however, this is no longer enough. You need to expressly tell users what you’re going to do with their personal data (their name and email in this example). The easiest way to do this is by providing information under the name and email fields stating: “We will only use your name and email to respond to your request”.
This means that you no longer need the annoying checkbox—although you do need to make sure that there’s a link to your integrity policy next to the contact form
It’s extremely important that you collect statistics about how your company’s website is used. There are quite a few tools to help you with this—Google Analytics is the most common. In its basic form, Google Analytics doesn’t comply with GDPR although this can easily be solved. The person using your Google Analytics account needs to make some changes to the configuration—a number of articles describe this in more detail, and we suggest that you enter “Google Analytics GDPR compliant” into your search engine to find out more.
By following this advice, you ensure that you only collect anonymized information while also continuing to collect helpful statistics relating to your website visitors.
If you don’t already do this, we strongly recommend that you deliver your website via HTTPS (encrypted connection). A warning appears in the address bar of most websites if it’s not based on HTTPS—which erodes your credibility and affects your Google ranking.
It’s relatively easy to activate https on a website today, and it’s not usually very expensive. It’s a small investment that improves your website’s credibility.
As mentioned previously, individuals have six rights under GDPR and can contact you at any time to exercise one or several of their rights.
Once you’ve received a request, you have one calendar month to respond, regardless if it’s received on a public holiday or not.
Konsento provides you with a portal where individuals can submit their requests to exercise their rights, making it easier for you to monitor and respond to requests. You can look at it like a case management system, where you can see how many requests an individual has made, allocate cases to members of staff and make note.
Individuals have the right to exercise their rights free of charge, although if they request the same information on multiple occasions you’re entitled to charge for providing the service.
Regardless of whether you’ve created your own customer register or you’re using an external system, you’ll need to obtain a signed Data Processing Addendum from your sub-processors. You must also ensure that your sub-processors comply with the agreement. This means that they need to inform you who their sub-processors are and what they do with your stakeholders’ personal data.
If you’ve created your own system, you’ll need to sign a similar agreement with your infrastructure provider.
You can check if you’ve already entered into agreements through third parties here: https://github.com/tollwerk/data-processing-agreements
If your sub-processors aren’t included on the list, you can send them the following email to find out if they comply with GDPR. Most suppliers already have a Data Processing Addendum that you can review and sign. It’s very important that you ensure that they aren’t doing anything untoward with your customers’ personal data.
If this is the case, you may want to ask why, and if you’re not satisfied with their answer you need to cover this in your integrity policy. If you’re not happy with their answer, you should probably change your supplier.
Subject: GDPR Compliance
Text:
Hi,
We’re currently reviewing our sub-processors to ensure that they’re in compliance with GDPR.
Are you GDPR compliant?
Do you have a Data Processing Addendum that I can execute?
Looking forward to your response.
Best regards
[name]
[company name and contct details]
You’ve now come a long way in terms of your GDPR work, and have produced some documentation that you’ll need to maintain:
We suggest that you review this documentation once annually and update it as required, deleting any personal data that you no longer use.
It’s worth bearing in mind that if you amend or change your personal data processing routines where the data has been gathered on the legal basis of consent, this might require you to obtain new consent.
Another possibility that we’ve not yet addressed is the unlikely event of a data breach. Under GDPR, you’re required to report this to the Data Protection Authority within 72 hours. The local Data Protection Authority should provide a protocol for you to follow on their website, under “Report data breach.”
It may be worth checking some of your conclusions with a GDPR specialist / legal advisor. Because you’ve already done a lot of the work, the specialist will probably be able to give you an answer more quickly. They won’t need to do any of the things you’ve already done, and can just review your documents and conclusions.
GDPR is an interesting field, and as you’ll have noticed it’s actually not too difficult to deal with. Naturally, this guide isn’t exhaustive as GDPR relates to all the personal data your company fathers, and the type of data varies between companies.
However, by using this handbook, you’ll have taken a huge step towards compliance with GDPR, which means that you’ve done much more than many others. Congratulations!
We hope you’ve found this handbook useful, and we’d love to hear from you about how your work progresses. Feel free to email us at hej@konsento.io, where you can raise any questions you might have on our chat.
This guide will be updated regularly, and we’ll let you know when we make any changes to the guide.
Sources we’ve used:
https://Ico.org.uk
https://ec.europa.eu
https://Datainspektionen.se
https://Verksamt.se
This sections provides concrete tips and examples on how you can follow GDPR for different usage of personal data.
Naturally, you’re permitted to store email addresses of potential customers and to contact them by email. But there are two important things you need to consider:
Most modern CRM systems include functionality that allows recipients to opt out of receiving future emails with a single mouse click—but do make sure your system can do this and that it’s enabled.
GDPR also states that you’re permitted to collect contact information for prospective customers, but that this information may not be stored indefinitely. We suggest that you review the data included on your list at regular intervals and contact any individuals you haven’t been in touch with for a while, or alternatively erase the data.